During the past years, the interest in radio access technologies for providing services for voice, video and data has increased. There are various telecom technologies used in cellular communications. The most widespread radio access technology for mobile communication is digital cellular. Increased interest is shown in 3G (third generation) systems. 3G systems and, then, even higher bandwidth radio communications introduced by Universal Terrestrial Radio Access (UTRA) standards made applications like surfing the web more easily accessible to millions of users.
Even as new network designs are rolled out by network manufacturers, future systems which provide greater data throughputs to end user devices are under discussion and development. For example, the so-called 3GPP Long Term Evolution (LTE) standardization project is intended to provide a technical basis for radio communications in the decades to come. The air interface of LTE is also called E-UTRAN, Evolved UTRA Network. An overall description of E-UTRA is found in the description Stage 2 (3GPP TS 36.300 version 8.5.0 Release 8) ETSI TS 136 300 of 1 Jul. 2008. Among other things of note with regard to LTE systems is that they provide for creation of neighbor cell relations in eNodeBs (eNBs), where an eNodeB (eNB) is the base station of the LTE system. More specifically, with respect to FIG. 1, a telecommunication system 10 may include one or more eNBs 12 that are connected via an interface S1 to a core network 14 of the system. Another interface X2 connects the eNBs 12 among themselves. One eNB may serve one or more cells 16. The generic term “base station” is used to refer to an eNB in the LTE system or a NodeB in a WCDMA system or for other base stations of other systems as will be appreciated by those skilled in the art. Also for simplicity, it is assumed that each eNB serves only one cell although an eNB may serve multiple cells.
In the following, the base station of interest is referred to as the “serving base station” and a neighbor base station is referred to as the “neighbor base station.” Each cell in a telecommunication system is assigned one of 504 possible physical cell identities (PCI). The PCI may be broadcasted on layer 1 in the cell. Knowledge of the PCI of the cell is needed for a terminal (also called user equipment, user terminal, which is implemented as a mobile phone, personal digital assistant, camera, etc.) to correctly decode a downlink transmission in a cell. Thus, the PCI is used to distinguish cells from each other and to enable decoding of downlink transmissions. Because the 504 different PCIs are not enough to give every cell a unique PCI (i.e., there are more than 504 cells in a given telecommunication network), the PCIs are reused in a radio network. FIG. 2 illustrates an example of how the PCIs of cells in a telecommunication network are reused. Sufficient reuse distances should be used between cells A and C that have the same PCI, so that PCI conflicts are minimized. However, when PCI conflicts occur, these conflicts should be resolved, i.e., at least one cell should have its PCI changed so that the conflict is eliminated. The PCI is a physical layer parameter, which may be easily and quickly read by a terminal. This parameter is reported to the base stations together with Reference Signal Received Power (RSRP) levels in measurement reports generated by the terminals. A base station (or another type of node in the network in some cellular telecommunication systems) may use these measurement reports, e.g., to determine whether the reporting terminal should be handed over to another cell.
The PCI is relevant to another aspect of a telecommunication system, which is discussed next. During a call (i.e., while maintaining a connection with or via the cellular network), a mobile terminal 18 moves around from a serving cell 16a to a neighbor cell 16b, moving from one cell to one of its neighbors repeatedly. A list of the known neighbor cells of the serving cell 16a (the same is true for each serving cell), called “neighbor cell set,” may be used both by the network 10 and by the mobile terminal 18 to enable reliable handover between cells. The network 10 may store information relating to a neighbor cell set. The neighbor cell set may be used for evaluation and handover of any mobile terminal, from one cell to another cell, as the mobile terminal crosses a cell boundary. The neighbor cell set is generated based on the PCIs of the cells in the network. A factor that affects the neighbor cell set is the fact that the cell boundaries are not sharply defined. The cell boundaries are somewhat blurred as the range of the base stations overlap with one another and thus, these facts need to be taken into account when generating the neighbor cell list.
A different approach for avoiding PCI conflict is the use of Global or Network Level Cell Identity. Different terms are used for the global or network level cell identity. The term used in this disclosure is Public Land Mobile Network (PLMN) level cell identity (CIPL). A CIPL is unique within the PLMN. Thus, there is no conflict between any two cells in the PLMN. The combination of a CIPL and a PLMN identity (e.g., Mobile Country Code (MCC) combined with Mobile Network Code (MNC)) becomes a globally unique identification of a cell, often referred to as a Global Cell Identity (GCI) or Cell Global Identity (CGI). Both the CIPL and the PLMN identity may be included in the system information that is periodically broadcast in each cell. Because a CIPL, unlike a PCI, is unique within a PLMN, no reuse coordination of CIPLs is needed.
However, using CIPL and PLMN identity (PLMN ID) is much more demanding for a terminal than reading the PCI. The usage of the CIPL and PLMN ID requires that the terminal is properly synchronized with the cell and that the terminal waits for a periodic transmission of the relevant part of the system information to occur.
The creation of the neighbor cell relations for each cell may be based on the PCI or the combination of CIPL and PLMN ID discussed above. In most cellular systems, the creation of the neighbor cell relations is a management task that takes into account the configuration of the system. However, in LTE, this method is abandoned in favor of automatic detection of neighbor cells aided by terminal and subsequent automatic creation of the neighbor relation, establishment of the X2 interface, and exchange of relevant information between the involved eNBs (unless the neighboring cells belong to the same eNB, in which case the neighbor relation creation, albeit possibly not neighbor detection, is an entirely eNB internal matter).
This approach relies on measurement reports from active terminals to detect neighbor cells. The reports may include the PCIs (as well as other measurement parameters) of detected cells. When a PCI of a base station that is new to the serving eNB is reported, the serving eNB requests the terminal to read and report the CIPL and PLMN ID of the new cell with the relevant PCI. This action requires that the serving eNB schedules a measurement gap, i.e., a gap in the regular transmissions to and from the terminal, during which the terminal may tune and synchronize its receiver to the other cell until the CIPL and PLMN ID have been received. The term “new” is used here, for example, for a cell that was not previously reported by any user terminal to the base station of the serving cell. Alternatively or in addition, the term “new” includes the case when the base station of the serving cell does not know the global cell identity corresponding to the PCI reported by the user terminal, which is due to the fact that the PCI has not been reported before and thus, the base station has not had any reason to find it out. For example, the identity may be old but just recently turned into a potential neighbor cell due to a change in the radio environment (e.g., a torn down building).
When the terminal has reported the CIPL and PLMN ID of the new possible neighbor cell, the serving eNB may conclude that the new cell belongs to the same PLMN as the serving eNB itself, and may choose to include the new cell into its list of neighbor cells. The serving eNB then may use the CIPL to retrieve the IP address of the neighbor eNB, which serves the detected new cell, establish the X2 interface with this neighbor eNB (unless the X2 interface was already established), and exchange information which is relevant for the X2 interface and the neighbor relation. This process of building neighbor cell lists is referred to as Automatic Neighbor Relation (ANR).
FIG. 4 illustrates a possible exchange of information between serving eNB 12a, new eNB 12b and a terminal 18 served by the serving eNB 12a. In step 1, terminal 18 detects the PCI of the new eNB 12b. In step 2, terminal 18 reports the PCI and other measurements of the new eNB 12b to the serving eNB 12a. In step 3, the serving eNB 12a schedules the measurement gap during which terminal 18 synchronizes with the new eNB 12b to detect other parameters of the new eNB 12b. Then, in step 4, the serving eNB 12a instructs terminal 18 to detect PLMN ID and CIPL of the new eNB 12b. In step 5, terminal 18 receives the PLMN ID and CIPL from the new eNB 12b and in step 6 terminal 18 transmits this information to the serving eNB 12a. Based on this information, the serving eNB 12a and the new eNB 12b establish interface X2 and each generate/update its neighbor relation. The interface X2 may be part of a transport network 20, which may be implemented as a landline. An alternative to scheduling measurement gaps (step 3), i.e., transmission gaps dedicated for retrieval of the PLMN ID and CIPL of a detected neighbor cell, is to place the user terminal in a DRX (Discontinuous Reception) mode, in which the periods when the terminal is not obliged to listen for transmissions from the serving eNB are long enough to allow retrieval of PLMN ID and CIPL of a neighbor cell. Yet a potential variation of the above procedure is that the terminal 18 reports the PCI, PLMN ID and CIPL of a detected neighbor cell without a prior report of only the PCI.
A concern exists when new cells are entering the system and neighbor cell relations are generated. This concern is related to the security of the system and is addressed next. The communication between two eNBs is supposed to be performed via the operator's protected zone (part of the Network Domain Security (NDS), see for example 3GPP TS 33.210 v7.3.0, “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Network Domain Security; IP network layer security (Release 7)”, September 2007, the entire content of which is incorporated here by reference). It is also supposed that each eNB 12a and 12b (or each eNB site) has established a secure communication path 22 to the operator network 24, as shown in FIG. 5. Thus, the two eNBs 12a and 12b communicate via a virtual private network (VPN), which means that the two eNBs trust each other and their mutual communication is secure. The communication path 26 over the X2 interface is also secure while communications over network 28 are insecure.
Alternatively, the two eNBs may communicate directly, without being routed via the operator's NDS zone, as shown in FIG. 6. In this case, each pair of eNBs (or pair of eNB sites) having neighbor relations has to secure the mutual communication of the base stations of the pair. Securing the communication may be achieved using IP security (IPsec, according to RFC 4301) based on Security Association (SAs) established using Internet Key Exchange version 2 (IKEv2) authenticated by certificates. In this alternative, the certificates and IPsec provide a similar security as in the NDS case, i.e., the pair of eNBs can trust each other and their mutual communication 22 is secure as illustrated in FIG. 6. In addition, FIG. 6 shows that the secure communication 22 is not routed via the operator's NDS zone 24.
Using direct communication via eNB-eNB X2 interface achieves a shorter communication path and eliminates the cryptographic operations in the operator network's security gateways. Thus, according to one scenario, an X2 communication via the operator network is the initial track and subsequently, a direct eNB-eNB X2 communication path may be established as the final communication path.
However, a couple of problems to be discussed next affect the above noted setup for eNB to eNB communications. A first problem affecting the above described procedure for generating and implementing neighbor relations is that although the actual neighbor relation establishment is secure, in terms of trust relations and protected communication, the relevancy of a reported neighbor is not known. In other words, there is no mechanism for determining whether an alleged neighbor cell is indeed a neighbor cell and thus whether an alleged neighbor eNB is indeed a neighbor eNB. An example is described next to illustrate this problem. Suppose that a malicious terminal reports false CIPLs collected from other parts of the network, which are not neighbor cells of the serving cell. The serving eNB, not being configured to determine the relevancy of the asserted neighbor cells, would establish unwanted neighbor relations with cells that are in fact not neighbor cells.
Another example that illustrates this problem is as follows. Suppose that two malicious terminals, UEA and UEB communicate with each other from different (geographically distant) parts of the network. UEA collects CIPLs from location A and sends the CIPLs to UEB at location B. Then, UEB may report these geographically distant CIPLs, collected in real-time, to the serving eNB. The geographically distant CIPLs correspond to cells that are not neighbor cells of the serving cell. Thus, these CIPLs correspond to alleged neighbor candidates. Not having a mechanism to check that the alleged neighbor candidates are neighbors indeed, the serving eNB would establish communication with these alleged neighbor cells and add them to the neighbor cell relations. This results in unnecessary neighbor relations being established. In this context, UEA does not have to be an actual terminal. It may be some other type of device, as long as it can receive and decode the system information broadcast from LTE eNBs.
Establishing unnecessary neighbor relations may drain an eNB's resources and also may limit the capability of the eNB to establish valid neighbor relations, especially when the eNB cannot maintain an unlimited number of neighbor relations. Although the LTE standard may place no hard restrictions on the number of neighbor relations a cell or eNB may have, the fact that each neighbor cell has a PCI that is unique among the neighbors sets an upper bound. In addition, most implementations likely have their own limit on the number of neighbor relations, after which the eNB accepts no new ones until some of the existing ones have been terminated. In practice, an eNB may monitor the usage frequency (and handover success rate) of each cell listed in the neighbor cell relations, so that unnecessary neighbor relations are eventually terminated.
Still another example when an eNB is affected by false neighbor cells is discussed next. Suppose that a new cell or eNB is entering service in the network. Initially, the new eNB has no neighbor relations. The neighbor relations are built up gradually, aided by moving terminals. At this point, a malicious terminal has the opportunity to “fill up” the eNB with false neighbor relations, so that there is no more “room” left for real neighbor relations to true neighbors. It will then take some time (which is implementation dependent) until the eNB determines that most of its neighbor relations are unnecessary and starts removing these unnecessary relations. Until this happens, handovers to and from the new eNB are not possible. Thus, this is a potential threat that should be avoided if possible.
Another consequence of adding excessive numbers of false neighbors to a given cell or eNB is that it increases the risk of PCI conflicts. In addition, it will be increasingly hard to find a collision free PCI for a cell whose PCI has to be changed because of a detected PCI collision or for a newly deployed cell. This may trigger (sometimes extensive) reshuffling of PCIs among cells in the network in order to avoid (the actually non-existent) PCI conflicts, resulting in traffic disturbances and dropped connections.
Another problem with establishing neighbor relations relates to the Internet Key Exchange (IKE) processing performed by an eNB or a site Security Gateway (SEGW) in establishing security association for direct X2 communications. It may well be the case that X2 communication via the operator network as shown in FIG. 5 introduces large latency, e.g., for handover situations because of multiple encryptions and decryptions and other cryptographic operations performed by the repeated IPsec processing on the path, so that direct X2 communication as shown in FIG. 6 is preferable.
Hence, when a serving eNB is presented with a new neighbor, or a new neighboring site, this may trigger heavy public key cryptography operations of IKE, reducing the available capacity in the eNB or SEGW for other operations. Generating multiple X2 connections to alleged neighbor eNBs may trigger a Denial-of-Service attack on both serving and alleged neighbor base stations. In particular, by presenting a particular alleged neighbor eNB to multiple serving eNBs in a distributed and synchronized attack, the alleged neighbor base station may be “detained” when establishing unnecessary secure connections between eNBs or sites. This attack may be effective not only during the network deployment phase but under other scenarios.
Although malicious terminals are not very often present and considerable knowledge is required to create one, the threat of manipulated terminals interfering with network activities is serious and problematic for existing networks. When the network, as in the case of neighbor cell detection in LTE, makes itself dependent on terminals for network configuration matters, the potential attack to the base stations is real.
In addition, simply relying on successful handovers as a verification of neighbor cell validity may not suffice, because neighbor relations and X2 interfaces may be established for other purposes than handovers, e.g., for inter-cell interference coordination (ICIC). Because handovers among such neighbor cells (interested in ICIC) may never be performed, leaves the neighbor relation unvalidated.
Accordingly, it would be desirable to provide devices, systems and methods for checking neighbor cell validity that avoid the afore-described problems and drawbacks.